Software Defined Radios: Hacking the Invisible by Davide Papini and Daniele Provenziani
1 like228 views
The document discusses software-defined radios (SDR) and their various applications, including GSM sniffing, GPS spoofing, and drone detection. It highlights the hardware used in SDR, spectrum basics, and provides demonstrations of manipulating radio signals and remote controls. The presenters, Davide Papini and Daniele Provenziani, share their expertise in cybersecurity and telecommunications.
Software Defined Radios: Hacking the Invisible by Davide Papini and Daniele Provenziani
- 1. Software Defined Radios: Hacking the Invisible Davide Papini Daniele Provenziani ROME - APRIL 13/14 2018
- 2. Who We Are • Davide Papini, Cyber Security researcher: • R&D Elettronica S.p.a. • PostDoc at Royal Holoway University of London • PhD at Technical University of Denmark • Daniele Provenziani, System Engineer: • EW COMM Elettronica S.p.a. • Solid Background in COMM ES and EA System • M.S. degree in Telecommunication Engineer at Tor Vergata University of Roma
- 3. Agenda • What are SDR • Applications (e.g. GSM, AIS, ADSB etc) • Hardware • Spectrum Background Demo Time • Mangling with radio mics • Spoofing GPS • Looking at Drones • Hacking remote controls
- 4. What are SDR • RF signal is directly digitalized at BaseBand • Processing is done in Software (digital and analog modulations). • Simple RF management e.g. sample rate, bandwidth, gain. • Easy prototyping (everything is SW)
- 5. SDR usages • Mobile e.g. 2G/3G/4G sniffing and BTS • Radio Broadcasting • GPS spoofing • Ship and Aircraft tracking • Radar • Direction Finding • Drone Detection and Interception • …Only your imagination can stop you…
- 6. Back in 2013: AIS Spoofing • New/Existing Ships Position Spoofing • Allows for false impact alerts • Can deceive authorities in finding target ship locations • Man-in-water spoofing • Distress beacon • SART (S.O.S.) alerts • Induces target ship to sail into hostile waters • Frequency Hopping DoS: • Induces target to change AIS frequency thus disappearing from legitimate systems Balduzzi et al @ Blackhat 2013
- 7. HW • Ettus Bus and Networked Series • Winradio • Nuand Blade RF • HackRF • PlutoRF • RTL-SDR Different specs: • Freq (30MHz-6GHz) • ADC resolution (8,12,14,16 bit) • Bandwidth (2MHz – 120 MHz) • Number of Channels
- 8. Spectrum Basics LTE BW = 20MHz
- 9. Spectrum Basics GSM BW = 200KHz
- 10. Demo Time • B210 • 2 TXRX, 2 RX channels • 56 MHz Bandwidth • 70MHz – 6GHz Frequency • N210 • 1 TXRX, 1 RX channel • 50 MHz Bandwidth • DC – 6GHz • Larger FPGA with RFNOC support (applications up to 100 MSps)
- 12. GPS Background
- 13. GPS Ephemeris • Each Satellite transmits its own navigational status • It transmits also the almanac: the status of the entire network • Need to know the ephemeris if you want to spoof a credible signal.
- 14. Looking at Drones LIVE DEMO
- 15. DRONE backgroud Remote Control (Uplink) Telemetry, Video data (Downlink) FPV Goggles FPV and Telemetry OSD
- 16. DRONE Remote Control RF Analisys RC Frequency Hopping Drone Video Streaming FSK modulation
- 17. DRONE RC Digital Modulation e.g. FSK Preamble SFD Payload (RC data/Telemetry Data) CRC
- 19. Wrapping up Q & A